Hi Ken, Software Agents and Data Mining. Summaries can be helpful but may, and probably will be insufficient to satisfy demands for information. Data Mining can solve many of the anticipated requests for information but not all. Software Agents can be developed to address the majority of requests for information.
The EHR system must be structured to respond to both type of interrogations. "... periodic report ... summary of their activities ... ..." could be helpful but possibly not very useful. A Patient or Provider tool with an audit trail and a 'grep' tool would probably be better. Additionally, the user is probably not interested in getting a summary report of what they did and are likely not interested in their own security. Record locks and loggers could be valuable in part at specific points in the global system. This would not, however, provide record-based security at other points where no security or protections exists. Alternative methods could provide additional security but they would likely involve translation and mutation, translation of information to mask identities and mutations to mask record formats. These would be accompanied by notifications so that the prior security mechanisms would be able to track record handling. This is a deep topic and as always requires constant attention and modifications. Regards! -Thomas Clark Thompson, Ken wrote: >Has anyone got any experience with the effect of providing users a periodic >summary of their activities on an EHR system? We are looking at a couple of >different options. > >1) A periodic report to our user's inbox outlining their use of the system. >This has an added benefit of giving the user a concrete sense of the >benefits they receive from the system as well as confirming that their >actions are, indeed, being monitored. > >2) A mechanism on the patient record itself that displays a list of all >users that have accessed the record (with date and time). This will probably >be made available to the patient at some point, so they will actually >provide a critical part of the checks and balances in the system. > >Any other thoughts on this? > >Best Regards, > >Ken Thompson > > > >-----Original Message----- >From: Nathan Lea >To: Thomas Beale >Cc: Openehr-Technical >Sent: 3/9/2004 4:46 AM >Subject: Re: Data Security was: Basic EHR functionality > >On 9 Mar 2004, at 06:51, Thomas Beale wrote: > > > >>A well known study in Harvard medical school (I think) showed that >>putting the message "Do not inappropriately access patient data - all >>your accesses are being logged" on clinician screens a few times a day >>resulted in a drop to near 0 of inappropriate access. No other >>technology was used >> >> >> >> >Indeed - but the (perhaps) disingenuous claim which is flashed across >clinicians' screens will only work for a finite period before people >stop believing it and revert to their old habits. Security is a >process, and it requires constant amendment and updating. If someone >wants to "attack" a system (in this case by inappropriately accessing >records), they will. To use a phrase which is undoubtedly well known to >everyone, "there is no silver bullet" - especially where security is >concerned... > >A good book to look at on the subject of insecure data is The Art of >Deception by Kevin Mitnik. > >Never say die. > >Best, > >Nathan >- >If you have any questions about using this list, >please send a message to d.lloyd at openehr.org > > > - If you have any questions about using this list, please send a message to d.lloyd at openehr.org
